Google's webmail service is just the beginning of a new information surveillance regime

By Annalee Newitz

YES, ALL OVER the world, people are freaking out about Google's initial public offering, which is expected to raise $2.72 billion for the 6-year-old company. But the world is also coming unglued over Google's new webmail service, Gmail. Analysts say it has several features that are potentially illegal in Europe. California state Sen. Liz Figueroa believes Gmail represents such a privacy violation that she's drafted legislation to stop it. Meanwhile, as New York Times journalist Katie Hafner reported, many people think the service is just plain icky.

Although only Google employees and their friends are able to get Gmail accounts right now, tech activists and civil liberties groups all over the world have already begun calling for the search engine giant to halt the rollout of what promises to be the most luxurious free email service available anywhere on the web.

On April 1, Google quietly announced that it would be going into the webmail business. On its face, the company's proposed service sounded positively dreamy: a free Gmail account comes with a whopping gigabyte of storage space (vs. the four to six megabytes that competitors Hotmail and Yahoo! offer); it's fueled by Google's massive server farms; and a Gmail box can be full-text searched using the company's fabled secret-sauce algorithms. There's just one catch. To pay for this amazing free service, Google is serving up a few little ads with each email. No big deal.

Except these ads are context sensitive. They're generated by bots reading your email the instant you open it, discerning key concepts in the message and choosing ads that somehow fit with the content of your email. So an email from your friend about picking up some bagels will be accompanied by ads for bagel shops in your area. An email from your lover which refers to an intimate moment you had the night before might include ads for sex toys or online dating services.

It's easy to see why a lot of people deem this aspect of Gmail somewhat creepy. Many of us have a visceral response to the idea that our private communications are being mined for data that will generate advertisements. It's like finding yourself in the dystopian universe depicted in the recent film Minority Report: everywhere the characters go, they're scanned for personally identifying information and accosted by holographic ads that address them by name and offer to sell them Gap pants in the proper size. Since many of us find commercials slightly repulsive to begin with, it's even more unsettling to imagine that Google's bots are listening in on our conversations with friends and slipping ads into them.

For the legally minded, however, the ick factor is irrelevant. Kevin Bankston, an attorney with the Electronic Frontier Foundation, says, "I don't care if people think it's spooky. The real question is whether what Google is doing is legal, and it is."

But hackers and digital-security experts say there may be a reason for people to be spooked. One hacker spun out a possible scenario in which an anti-gay group buys Gmail ads that are targeted at people whose email reveals them to be gay. When these gay people click through the targeted ads, they land on the anti-gay website, which allows the website owners to log their IP addresses--and since IP addresses are often traceable to real-world addresses, the anti-gay group could possibly use targeted Gmail ads to compile a hit list of gay people, complete with directions to their targets' homes. Ryan Lackey, a security consultant who divides his time between Silicon Valley and Sealand, thinks this anonymous hacker's scenario is all too possible. "There's no doubt that these ads could narrow people down to gay or not gay," he says.

In a recent interview, Google co-founder Sergey Brin says Gmail won't let this hypothetical scenario come to pass. "First of all, you can't buy an ad for Gmail alone," he explains. "We have tens of thousand of websites to put ads on, and we don't let advertisers target specific ones. But also, we don't want an advertiser to have specific ads that will be matched with Latinos or another group somehow. We wanted to prevent that, because we were careful about privacy from the outset. We require that an ad match broadly and run broadly."

Despite Brin's assurances, and Google's well-deserved reputation as a thoughtful organization that cares about its customers, it's hard not to worry about what will happen after Gmail launches. Both Brin and co-founder Larry Page have suggested that they might want to link Gmail with Google's other services, such as social network Orkut and their signature search engine.

"You'd get a wealth of revealing data just by mapping the connections," suggests EFF's Bankston, who adds that this isn't just a problem with Google. It's a problem with any service like Yahoo! or Hotmail where users' personal data is stored on someone else's servers. This data is in what's called "third-party storage," and the laws that protect it from being read by law enforcement are much weaker than most people realize. In many cases, law enforcement could legally read most of your email without notifying you simply because it's "relevant" to a case they're investigating--even if you are not suspected of any criminal activity.

Ultimately, the problem isn't so much Google--it's the social precedent the company will set. Once the industry leader launches Gmail, other webmail companies are likely to offer competitive services, thus ushering in an era where nearly all our personal information is routinely scanned for conceptual data and stored with third parties. And that's why civil liberties groups want to act now, before Gmail launches. MIT graduate student and privacy advocate Simson Garfinkle sums up their concerns succinctly: "If they launch without addressing these important privacy issues and are successful, what is their motive to address them?"

Gmail Test Drive

Every time I talk to somebody from Google about Gmail, I get the same question: "Have you tried it?" It's the company mantra right now, which makes sense. Blasted by the press and tech community over a product that hasn't even launched yet, Google wants want to make sure people test the thing before they judge it. But taking the taste test proves to be somewhat difficult: the only people with Gmail accounts are Google employees and their friends. Eventually, however, a kindly rep at the company hooks me up. I even get the soon-to-be-elite email address annalee@gmail.com.

Google has a reputation for putting together sweet user interfaces with hard-core, superfast data-crunching back ends. Why do we love the Google search engine? Because it's quicker and easier to use than a tape measure. And never underestimate the power of looking nice. It's clear that the engineers and graphic designers behind Gmail know this quite well. Logging into the site at gmail.google.com is quick and secure (SSL encrypts your password). I pick an incredibly insecure password--the word "private"--to see if Google will tell me not to use such an easily hacked dictionary word. But no warnings pop up and after my account is created I'm delivered into the Gmail interface proper.

Gmail is an attractively plain-faced site. The clean lines, pale blue accents and lack of graphic geegaws are precisely what I want out of a service that I use every day. Like a newspaper, it has the reassuring, no-nonsense look of an information repository. A couple of nice features are obvious right away. You can create keyboard shortcuts for common actions like composing a message or reporting spam. Also, messages are organized into threads called "conversations," which makes it a lot easier to figure out which emails are part of long question-and-answer sessions and which ones are on new topics.

Because my Gmail account holds a gigabyte of data, it's reasonable to imagine that I might use this service for 10 or 20 years. When I think in those terms, it becomes obvious to me why the full-text search functionality on Gmail is so necessary. In five years, I might want to find out if Chris Palmer ever wrote to me about why Gmail sucks in late April of 2004. Full-text search will allow me to do that. Of course, it will also allow law enforcement agents to search my old emails to see if Chris Palmer ever mentioned selling pirated CDs to me during the same time period.

I begin the real part of my test drive by sending out emails to all my friends. "Send me something weird or random so I can test the ad services on Gmail," I write. Like everyone else, I'm morbidly fascinated by the idea that Google bots will read my mail and deliver ads to me. Will I feel spied on? Will the ads be eerily on target or so random as to be laughable?

The first emails start rolling in within minutes. Jesse sends me a string of expletives and pornographic epithets. Ad count: zero. Google won't be serving up adult ads in Gmail, so dirty words lead to a noncommercial missive. My next email comes from Charlie, who suggests that we do a lot of things related to recent spam she's received: "Let's go skiing," she writes. "Or better yet, we should try Viagra. Or have prostate surgery for my bladder. Possibly we should get one of those spy cameras so we can watch each other shower." Frustratingly, this flagrant bid for spam also results in no ads.

At last, I begin to get some commercial content when Wendy writes to me: she's inserted a chunk of text from something she's writing criticizing the RIAA for suing P2P file sharers on the Internet. A tidy little column of ads pop up next to her email, looking exactly like the ones I see on Google when I do a search. In response to Wendy's impassioned argument against the RIAA's anti-sharing campaign, Google helpfully provides:

Well, those ads are fairly on target. They're relevant to what we're discussing: file sharing. But then, mysteriously, an email from Kevin--another obvious bid for ads--gets nothing. Although he mentions wanting an iPod, Gap jeans, tax-preparation help and Popeye's chicken, his mail remains adless.

I get the best results when Fyodor sends me the complete license agreement for his port-scanning tool, Nmap. Several ads related to port scanning and free software licenses pop up, and there's even a "related link" to Fyodor's own website, www.insecure.org. A day later, I get the creepiest results when I have a romantic conversation with my sweetie. I've sent him one of those schmoopy notes where I say something about thinking of him while I'm snuggled up in my favorite pajamas. When he replies with something equally schmoopy, there are ads for warm pajamas and sleepwear tucked into the mail. "Yuck," I think to myself: Gmail has managed to turn our love letters into a marketing device.

My verdict? The more targeted the ads are, the more they arouse the ick factor, particularly when you're dealing with personal exchanges. If we need to have ads in our email, I think it would be better for Google to randomly generate them. I'm just as likely to want to click through an ad for a file-sharing site when I'm reading a love letter as I am while exchanging work-related information with Wendy. Having Google's bots attempting to make "Buy warm sleepwear!" relevant to my sweetie's comment, "I love how cute you look in your pajamas," is just going to gross me out and make me less inclined to click through.

But this isn't to say that Gmail isn't seductive. Having a free gigabyte of storage was an instant turn-on for me: I've been a Yahoo! mail user since 1999, and the six megabytes of storage Yahoo! gives me have been a constant pain. I'm always having to delete messages, which is more annoying than you'd think. Plus, Yahoo! charges you to download your email. With Gmail, I'd rarely have to delete messages. And I could use the service to hold large files while I was in transit between work and home. Instead of saving an article to disk, I'd just mail it to myself in Gmail and download it to my computer when I got home. A gig is so much space that it's almost ridiculous, like a bribe for future favors.

The Trouble With Infinite Storage

The free gig, which seems so cool on the surface, is actually the most dangerous part of Gmail from a privacy perspective. While the context-specific ads feel creepy, they are currently an annoyance rather than a privacy violation (at least under U.S. law--in Europe, there are more stringent laws that forbid mixing private communication with commercial interests). But when Google encourages users to save years and years of private correspondence on Gmail servers, it is helping to set up what might become a surveillance nightmare.

As EFF's Bankston points out, the Stored Communications Act (part of the decades-old wiretap legislation package known as the Electronic Communications Privacy Act) stipulates that any electronic data stored with a third party for more than 180 days can be subpoenaed by law enforcement without notifying the owner of that data. Under certain conditions, data less than 180 days old can be subpoenaed in the same manner. Bankston elaborates, "Google is selling their service as 'Never delete email again.' And this emphasizes the problems with the law that protects your stored communications--regardless of any protections this law offers, [Gmail accounts] are a wonderful target for anyone who wants to get dirt on you. There could be a complete archive of your personal correspondence stored with a third party."

Like many privacy advocates, Bankston is quick to say that he thinks Google wants to do the right thing, and that this is a problem with any service that stores people's communications. Ultimately, he says, "This is the fault of a Supreme Court that interprets the Fourth Amendment as granting less protections when you store communications on somebody else's server as opposed to your own." To get information stored on your personal machines, law enforcement would always have to notify you first, regardless of whether they did it via subpoena (which you could then move to quash in court) or via warrant.

Privacy advocate Garfinkle worries that we are entering an era when most of our information will be stored with third parties, thus placing nearly everyone in a position to have their private communications searched at any time without notice. Gmail is merely the thin end of the wedge. "Computing will be a service in the future," postulates Garfinkle. "You'll have a terminal at home, and all your data will be stored at Google. This could be a future where that data is basically jointly owned by you and Google. I don't want to live in a future where I share all my information with Google. I want to control that relationship, and the rules we establish now, along with the mores and techniques and philosophy, are going to determine what that future looks like."

Concerns like this one led Garfinkle, along with 27 other privacy groups and activists, to sign a letter on April 6 asking Google to stop the rollout of the Gmail service until privacy issues are addressed. "The unlimited period for data retention poses unnecessary risks of misuse," it reads. "The Gmail system sets potentially dangerous precedents and establishes reduced expectations of privacy in email communications."

Tech journalist and free-market advocate Declan McCullagh has responded to this letter the way many Google supporters have. In an April 12 column, he reminds "regulatory enthusiasts" that Gmail is an optional service. People aren't forced to sign on. And when they do, they are warned beforehand what the possible risks are. If Gmail is forced by government to change its offering, "so much for preserving consumer choice," McCullagh warns.

Chris Hoofnagle, an attorney with the Electronic Privacy Information Center (EPIC), a Washington, D.C.­based group and signatory to the letter, isn't sure that McCullagh's argument holds water. "I think if Google does this today, then Hotmail will do it tomorrow," he says. "Is there really consumer choice here? I think this will just create another race to the bottom." He adds that even if Gmail users have chosen the company despite its privacy policies, people who send mail to Gmail customers haven't. Nevertheless, their private communications will reside on a third-party server indefinitely.

Another storage issue that's created a lot of controversy is a section in the Gmail privacy policy where the company states that even after you delete your mail, copies of it may be retained "for some time" on Google's system. Although Google co-founder Brin confirms that the privacy policy changes "regularly," this portion is likely to remain in place purely because, as Brin puts it, "we keep backups of email." The problem is that backups can also be subpoenaed, and if users aren't told how long these backups will be retained they can't make good consumer choices.

Given that Google has responded with alacrity to privacy advocates' concerns, with their attorneys meeting with groups like the Electronic Frontier Foundation and the Center for Democracy and Technology, it's unlikely that these copies are being kept for reasons that go beyond the technical need for backups. But as even McCullagh acknowledges, Google could one day be bought by another company that could retain copies of deleted email for less-than-savory reasons.

Security consultant Lackey puts it this way: "It's very dangerous to depend on the people running the system to make it work well. The people at Google seem great, but what happens when they go public?"

We Own Your Profile

Meanwhile, California state Sen. Figueroa's proposed Senate bill designed to hobble the Gmail service ignores data retention issues and focuses entirely on the contextual ad problem. It reads, in part, "This bill would prohibit a provider of e-mail or instant messaging services ... that serves California customers, from reviewing or evaluating the content of a customer's e-mail or instant messages, except as specified." If her bill passes, Google won't be able to "review" emails in order to place ads in them--at least when those emails are being sent to Gmail customers in California.

As Brin explains, this bill misses the point. "Our product keeps customer privacy better than a lot of others," Brin says. "No information about Gmail users goes off our site, and no information is shared with advertisers." Specs on Gmail's ad-delivery system show that the service does work in a somewhat privacy-friendly manner. Your email isn't scanned until the moment you open it--so there are no bots reading through your mailbox and inserting ads. Ads are generated in the nanoseconds between clicking on a piece of email and opening it.

Most importantly, Google claims that it keeps absolutely no records of which ads you're served and which "concepts" appear in your mail. So Google isn't developing a profile of your personal habits or predilections based on your email correspondence. As soon as you close your email, the ads disappear and all records of them do, too.

However, problems linger. Google might change its policy about keeping logs at any moment, especially if the company's ownership changes. This would result in a treasure trove of data that the Department of Justice would love to get its hands on. TIA may have failed, but perhaps Google won't. EPIC's Hoofnagle says this is a particularly dangerous situation. He worries, "We'll start seeing arguments from policy makers like the Heritage Foundation saying, 'Your email is already scanned for commercials, why not for acts of terrorism?' That's a hard argument to rebut. How do you argue that one use is appropriate but the other isn't?"

Let's assume that people will store decades worth of private correspondence in Gmail. Records of the concepts that appear in these emails could be subpoenaed by law enforcement at any time for fishing expeditions to identify which people talk the most about things like keeping communications safe from the prying eyes of law enforcement.

Meanwhile, as the Gmail controversy rages, a small Amazon subsidiary company called A9 announced a new search service that promises to do exactly what privacy lovers fear Gmail could do in the future. A9 (www.A9.com) is a search service that helps you search the web as well as the full text of books on Amazon.com, plus it keeps a record of all the searches you've ever done. Records of all the searches you perform will be rich with the kinds of conceptual data that privacy advocates fear Gmail could be logging. More creepily, A9 won't even be subject to the soft restrictions that the SCA imposes on communications stored with third parties. After all, web searches are not communications at all, so law enforcement or other interested parties will be allowed to mine the history of your searches with impunity.

Encrypt Everything!

My hacker friend Mason, after several cups of coffee, is fond of pounding the table and yelling, "Encrypt everything!" In a third-party storage, fully searchable future, his geeky cheer is no longer the war cry of tinfoil-hat-wearing maniacs. It is, in fact, the solution proposed most often by policy analysts who want services like Gmail to flourish without compromising user privacy.

If Gmail users don't want Google's bots (or law enforcement) to read their email without permission, they should encourage Google to encrypt all communications data on their servers using an enterprise-level mail encryption such as PGP Universal (www.pgp.com/products/universal/). As long as users maintain the keys that encode their data, their mail will only be decrypted once it's on the user's own computer. Law enforcement will still be allowed to subpoena the information, but they will have to alert the user first, since only he or she holds the key to decrypting it.

Brad Templeton, an entrepreneur and digital freedom activist, recently published a very persuasive paper on why Google ought to encrypt its data, and a few days later Google head Brin acknowledged in an interview with eWeek that Templeton might have a point.

If Google refuses to encrypt their data, users can move their data to Hushmail (www.hushmail.com), a free webmail service that encrypts all data on its servers.

Lackey, the security consultant, has been testing a Gmail account and dreaming up ways he would make the product more privacy-friendly. He thinks the solution may be social rather than technical. "You need to design this system for [privacy] auditing," he opines. "You could even have the auditor sign an NDA. Of course, the ideal system would allow any end user to audit the system on their own, so the company never knows when they are being audited. Without this, their policy is meaningless."

Concerned about the possibility that Google might start keeping information about concepts in people's emails, Lackey says he'd like to see Google adopt a data destruction policy. "The fundamental way to keep users' information from being compromised is not to have that information," he asserts.

Skeptics like Garfinkle point out that the main problem is that Google's vast database of personal information may fall into the wrong hands somewhere down the line. There is a long history of companies cooperating with law enforcement in data-mining operations without any provocation other than a misplaced desire to help fight ill-defined bad guys.

As part of the Computer Assisted Passenger Prescreening System project during the past year, several airline companies, including JetBlue and Delta, allowed the FBI to conduct "practice runs" with data-mining software on their passenger databases, testing out their techniques for locating terrorists on real, personally identifiable data.

Google representatives say that they are listening to the concerns of privacy advocates and will take them into account when redrafting their Gmail policies. Insiders say the company has recently hired a policy analyst whose main job will be to deal with privacy issues.

In the meantime, EPIC has served the FBI with a Freedom of Information Act request for information on "all records . . . involving communications between agency officials and representatives of Google Inc. regarding use of Google search technology for law enforcement and intelligence purposes, and particularly the possible use of Google's Gmail service for law enforcement and intelligence investigations."

It's a bold and interesting move, one which has gotten the scrappy advocacy group called "privacy fundamentalists" and much worse. What their FOIA request turns up, however, may surprise the doubters. After all, executives from antivirus software companies Symantec and Network Associates met with Department of Justice officials after 9/11, and it was widely speculated that they were discussing how antivirus software could be used to "backdoor" consumers' computers so the feds could tap them more easily.

Bankston, the attorney with EFF, reiterates that Google isn't the problem: the laws that regulate privacy online are. "Our online behavior is increasingly controlled by third parties," he says. Laws like the Stored Communications Act need to protect that data the same way they protect information we have stored on our home computers. The ethical and legal snarls Gmail represents are merely a harbinger of conflicts to come.